After the FBI officially blamed North Korea for the Sony Pictures hack, President Obama made a pronouncement that sounded a lot like fighting words: “We will respond, we will respond proportionally, and in a place and time that we choose," said Obama Friday. Days later, North Korea's shaky Internet went down, leading many to speculate that the U.S. government had retaliated for the Sony Pictures hack. However security experts say the attack that temporarily knocked the isolated nation offline looks more like the work of hacker pranksters than a vengeful U.S. government.
Here's the timeline that makes it doubtful the U.S. started a 'cyberwar': Over the weekend, an anonymous person published a guide to North Korea's digital infrastructure after performing a scan of the machines connected to the Internet in the country. Along with an analysis of the tech and software North Korea is using, the guide included a list of the IP addresses the country uses to connect to the wider world.
"A scan like that is basically reconnaissance for an attack," says Norm Laudermilch, COO of threat analysis firm Invincea. It gives anyone seeking to overwhelm a network the targets at which they need to aim.
The day after the guide was published, North Korea's network was flooded with connection requests as part of a DDoS (distributed denial of service) attack, according to Arbor Networks, a security company that published an analysis of the attack. "The attack was not that big. North Korea’s infrastructure and connectivity are not robust," says Laudermilch. "The total amount of bandwidth was equivalent to 500 people streaming a high-def film. In other words, a neighborhood of people watching a movie online can bring down North Korea's Internet."
Laudermilch called it a "brute force, unsophisticated attack" that one would expect from a group of hackers with a botnet of enslaved devices under their control, not the "laser precision attack" expected from a nation state.
Arbor Network's Dan Holden came to the same conclusion. "I’m quite sure that this is not the work of the U.S. government," wrote Holden. "Much like a real world strike from the U.S., you probably wouldn’t know about it until it was too late. This is not the modus operandi of any government work."
Security expert Dan Tentler says that if the U.S. government wanted to take North Korea offline, there is a far more precise way to do it than a clunky and highly visible DDoS attack. "If the stuff we learned about the NSA is to be believed, and they wanted to 'take North Korea offline', it would be as easy as twiddling with [its Internet gateway]," said Tentler by email. "Their main uplink is a SINGLE link that connects through China."
Hacker groups loosely affiliated with Anonymous have been claiming credit for the North Korea Internet takedown, with both the Lizard Squad and Gator League making boasts on Twitter about successfully DDoSing the country.
North Korea is back online Tuesday after an outage of just nine and a half hours, according to Dyn Research. "If it were a nation state that took them down, they would not be back up again this quickly," says Laudermilch. "All of this indicates it was not an advanced adversary."
Laudermilch says that if sophisticated nation state actors — a.k.a. U.S. Cyber Command — did decide to take North Korea's Internet down, the country wouldn't see it coming and there wouldn't be an obvious evidence trail left in the attack's wake.